Schlagwort-Archive: Integrated Windows Authentication

A few days ago I had a real strange problem while using HttpClient in combination with ASP.NET Web API and integrated windows authentication (IIS Express). To keep it simple, I always got a 401 (Unauthorized) error returned from the localhost website, even though I was setting up the HttpClient correctly (see screenshots) and the HttpClient was sending the authorization header (negotiate).

After researching a while I found out, that exactly the .fiddler URI addition is part of the problem for the 401 error I always received. Microsoft changed the logic of the NTLM authentication for some of the security classes in .NET version 3.5 SP1 (see link below) in order to avoid relefection attacks. A reflection attack is a method of attacking a challenge-response authentication system. The HttpClient uses those changed classes internally to connect to the website.

So, the solution is quite simple. We just need to add the registry key BackConnectionHostNames (important: Multi-Value String) to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\MSV1_0 section in the registry with the value localhost.fiddler. A full explanation about the security concepts in WIA you will find at Microsoft’s site: Changes to NTLM authentication for HTTPWebRequest in Version 3.5 SP1

You can easily reproduce this error by creating a standard MVC4 web application with a Web API controller using windows authentication (see screenshot for settings). Then you add a console application to the project from which access the REST API (ValuesController).